Their guns drawn, a dozen federal agents, police and forensics experts kicked in the door of a run-down two-story home in Arkansas shortly after dawn, barged inside and ordered the occupants to put their hands on their heads.

The target of the raid was neither terrorist nor bank robber. He was a 24-year-old computer hacker suspected of handing off stolen e-mail addresses to the media.

With that, the Justice Department began a case that has come to symbolize what some lawyers and civil libertarians see as overreach in the government’s campaign against cybercrime.

The hacker, Andrew Auernheimer, was convicted and sentenced last month to more than three years in prison for obtaining about 120,000 e-mail addresses of iPad users from AT&T’s Web site — including New York Mayor Michael R. Bloomberg (I), Hollywood executive Harvey Weinstein and other prominent figures — and giving them to the Web site Gawker. When it happened three years ago, the data breach jolted federal officials because it affected one of the nation’s most prominent companies and triggered fears about the security of increasingly popular mobile devices.

Yet only a few, heavily redacted e-mail addresses were published, court documents show. No one’s account was broken into. AT&T fixed the problem in about an hour, and a company official testified that there probably was not enough evidence to sue the hackers.

The case highlights a growing debate over how to define right and wrong in the digital age, what is public and proprietary online, and how far law enforcement should go in pursuing cybercrime.

Today the Ninth Circuit handed down its long-awaited en banc decision in United States v. Cotterman, a case on the lawfulness of searching a computer at the border. (My prior posts are here, here, here, and here.) Today the Ninth Circuit announced a special rule for computer searches: Although a “review of computer files” can occur without reasonable suspicion, the “forensic examination” of a computer at the border requires reasonable suspicion because it is “akin to reading a diary line by line looking for mention of criminal activity—plus looking at everything the writer may have erased.” Here’s the key part of the analysis:

The relevant inquiry, as always, is one of reasonableness. But that reasonableness determination must account for differences in property. Unlike searches involving a reassembled gas tank, or small hole in the bed of a pickup truck, which have minimal or no impact beyond the search itself—and little implication for an individual’s dignity and privacy interests—the exposure of confidential and personal information has permanence. It cannot be undone. Accordingly, the uniquely sensitive nature of data on electronic devices carries with it a significant expectation of privacy and thus renders an exhaustive exploratory search more intrusive than with other forms of property.

After their initial search at the border, customs agents made copies of the hard drives and performed forensic evaluations of the computers that took days to turn up contraband. It was essentially a computer strip search. An exhaustive forensic search of a copied laptop hard drive intrudes upon privacy and dignity interests to a far greater degree than a cursory search at the border. It is little comfort to assume that the government—for now—does not have the time or resources to seize and search the millions of devices that accompany the millions

Despite some recent momentum, there’s not much clamor for change coming from the White House — and as expected, the Justice Department, which once tried to expand the penalties of the so-called Computer Fraud and Abuse Act, has been silent.

While there’s a new reform push on Capitol Hill backed by a few powerful members, the key committees with jurisdiction have other plans in mind — and their agendas are packed with immigration reform and gun control. More than that, Congress actually has been fond of stronger punishments for some offenders.

It’s not to say the principles known as Aaron’s Law won’t ever reach the president’s desk in some form — just that all the Internet hype and rallying mark only the beginning of a new and lengthy political journey.

I think that’s probably right, unfortunately. Narrowing federal criminal law is always hard, both because elected officials don’t want to seem ‘soft on crime’ and because the head of the executive branch has the veto power. Plus, on this issue specifically, the Internet companies and service providers that have a lot of influence on the Hill aren’t natural allies with civil libertarians. Those companies want their customers to feel that using their products is private, which can lead companies to favor expanding privacy protections in the context of government investigations. But when it comes to the substantive criminal laws, those same companies tend to see themselves as victims of computer crimes (whether from outside hackers or insiders). As a result, they tend to be wary of narrowing the laws. So as the Politico story says, expect a lengthy political journey. And keep an eye out […]

I have been beating the drum on the need to narrow the Computer Fraud and Abuse Act for a decade or so, so I was happy to see today’s cartoon for “Tom the Dancing Bug” pick up the cause, too. I don’t know if I can reprint the cartoon here copyright reasons, but you can click here to see it. For my related op-ed from 2011, see here. And for a video of me ranting about the broad scope of the CFAA — or at least coming as close as I come to ranting — see here at the 44:10 mark (and pardon the echo).

In the spirit of the post, I thought I would also reprint the conclusion of the CFAA chapter in the 3rd edition of my Computer Crime Law casebook. As lawyers and law students know, it is common for law school casebooks to supplement cases with extensive “notes and questions” offering additional points and questions for further thought. Here’s the last “note” in the chapter:

The scope of criminal liability for computer misuse is very broad. A critic of existing law might say that the legislature’s basic approach is to criminalize everything and then rely on prosecutorial discretion to select appropriate cases for criminal punishment.

Is this criticism accurate? And if it is, do you think the legislature has acted wisely? Computer technologies and social practices change rapidly, and it may be difficult for the law to keep up. Is it sensible for legislatures to impose broad criminal liability ex ante, so that prosecutors are rarely or never in a position of being unable to charge a worthy case? Or should the legislature only impose liability narrowly, so that new computer technologies can evolve without the threat of criminal punishment? Do you trust prosecutors

In a recent post, I suggested a way to narrow the Computer Fraud and Abuse Act, 18 U.S.C. 1030. In narrowing that law, I intentionally excluded the problem of “insiders” who might misuse computers. There are really two situations to worry about. First, there’s the Aleynikov problem: an employee at a company who is thinking of leaving the company might access the computers of his employer and copy valuable data to help start a competing business or sell the data. Second, there’s the Rodriguez problem: A government employee might misuse sensitive government databases.

I don’t think these facts should fit under 18 U.S.C. 1030 because they deal with a different kind of problem; it’s hard to fit them in to 1030 without causing incredibly broad liability. But I do think it’s fair to want to criminalize such conduct with a different statute. So I have drafted such a proposal and posted it here: Proposal for 18 U.S.C. 1031, Employee Misuse of Computer Information. My proposal isn’t perfect, and I’d want to fiddle with it a bit myself, but the idea is to enact a narrow statute to deal with the specific problems of insiders.

UPDATE: I have updated the draft a bit in response to commenters, and I thought I would add an explanation in response to this comment:

Why does the federal law and your proposal have to address the technology — computers — rather than the underlying wrongful conduct: stealing a company’s information or improper use of government property.

Presumably someone who takes hundreds of documents from Goldman Sachs’ file cabinets, and uses those documents to start a rival business, is no less culpable than the Aleynikov problem.

The reason is two-fold. For part (a), Employee Misuse of Information for Private Financial Gain, the […]

There has been a lot of interest in amending the Computer Fraud and Abuse Act in light of the Aaron Swartz prosecution. I have drafted some changes and uploaded a red-lined version here.

My proposal has lots of parts, but the big ones are: (1) eliminating liability for exceeding authorized access, (2) tightening the felony thresholds throughout the statute, and (c) eliminating several sections of the statute, including 1030(a)(3) and (a)(4), which are redundant, and 1030(g), the civil liability provision which is chiefly responsible for the overly expansive readings of the statute.

No rewriting of a statute is going to be perfect, but perhaps this proposed redrafting will be of interest to some who are debating the future of this statute. […]

1) Duke lawprof Jamie Boyle has posted a thoughtful reply to my two posts on the Aaron Swartz case over at The Public Domain. I plan to post a response to Jamie when I have time to do so — in a day or two, I hope — but in the meantime I wanted at least to recognize his post and provide the link for interested readers.

2) Senator Cornyn has sent a letter to Attorney General Holder asking for a detailed explanation from Holder of why DOJ exercised its discretion in the Swartz case as it did. Senator Cornyn is my former boss, so maybe I am biased here, but I think that’s a productive way to get DOJ to say more about its perspective on the case. It will be interesting to see how DOJ responds.

Among the questions raised by the Cornyn letter is whether DOJ policy gives U.S. Attorneys the discretion to charge cases consistent with the gravity of the wrongdoing in the case. The answer has changed over time. Traditionally, the answer was “yes.” In 2003, however, then-AG John Ashroft announced a new policy essentially eliminating that discretion. With narrow exceptions, all federal prosecutors were required to “charge and pursue the most serious, readily provable offense or offenses that are supported by the facts of the case.” In 2010, however, AG Eric Holder overturned the Ashcroft policy with a new memo restoring the traditional role of prosecutorial discretion. You can read the 2010 Holder policy here. […]

This is the second in a series of posts on the Aaron Swartz prosecution. In my first post, I analyzed whether the charges that were brought against Swartz were justified as a matter of law. In this post, I consider whether the prosecutors in the case properly exercised their discretion. As some readers may know, prosecutors generally have the discretion to decline to prosecute a case; once they charge a case, they have the discretion to offer or not offer a plea deal; and once they offer the plea deal, they have some discretion to set the terms of the offer that they will accept. This post considers whether the prosecutors abused that discretion.

To provide some attempted answers, I’m going to break down the question into four different issues: First, was any criminal punishment appropriate in the case? Second, if so, how much criminal punishment was appropriate? Third, who is to blame if the punishment was excessive and the government’s tactics were overzealous? And fourth, does the Swartz case show the need to amend the Computer Fraud and Abuse Act, and if so, how?

This is a very long post, so here’s a summary of where I come out on these four questions.

On the first question, I think that some kind of criminal punishment was appropriate in this case. Swartz had announced his commitment to violating the law as a moral imperative in order to effectively nullify existing federal laws on access to information. When someone engages in civil disobedience and intentionally violates a criminal law to achieve such an anti-democratic policy goal through unlawful means — and when there are indications in both words and deeds that he will continue to do so — it is proper for the criminal law to impose a punishment under […]

The Internet activist Aaron Swartz has died from an apparent suicide. Swartz was facing a criminal trial in April on charges arising from his effort to “liberate” the JSTOR database, and there has been a lot of commentary accusing the prosecutors in his case of having abused their role in ways that contributed to Swartz’s tragic death. Swartz’s friend Larry Lessig led the way by angrily condemning the prosecutors who charged Swartz as “bullies” who acted like they “had caught the 9/11 terrorists red-handed.” According to Lessig, the prosecutors acted in an “the most absurd or extreme way” and “don’t deserve to have the power of the United States government.” A lot of people seem to agree, and today’s media has picked up the story. The New York Times is running a headline, “A Data Crusader, a Defendant and Now, a Cause.”The Associated Press has a somewhat similar story, “Swartz’ Death Fuels Debate Over Computer Crime”.

The criticisms of the Swartz prosecution concern two different questions. The first question is the law. Were the charges against Swartz based on a fair reading of the laws? Or was the prosecution being overly aggressive or relying on strained theories in charging Swartz as it did? The second question is discretion and judgment. The DOJ has the discretion to charge cases or not, and prosecutors can agree to different plea deals or even agree to have charges dismissed. Were the prosecutors in this case unfair in how they exercised discretion, or did they act irresponsibly in the case in how they exercised the discretion that the law grants them?

I hope to answer these questions in two posts. In the first post, I’m going to try and answer the first question — the law — as informed by my background as […]

Last year, I posted about a recently-filed criminal prosecution in which the federal government was charging a state fraud scheme involving poker machines under the Computer Fraud and Abuse Act:

Andrew Nestor learned of a programming flaw in certain video poker machines used in Las Vegas. By using a certain feature and playing a particular combination, a person could trick the poker machine into paying out winnings at a higher rate than it should have. Nestor played the combination, and he was able to receive winnings that he was not entitled to have. At this stage, it sounds like a state law offense of theft or fraud. Nestor stole the money from the machine by fraud.

But was a federal crime committed, as opposed to a state crime? Federal prosecutors love to charge fraud cases under the wire fraud statute, 18 U.S.C. 1343, but that wouldn’t work here. Liability under the wire fraud statute requires a crossing of state lines, while here all the action occurred in a single room. So instead the government charged Nestor with a CFAA violation, and specifically 18 U.S.C. 1030(a)(4), which punishes “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period.”

Note that there is no longer a requirement of crossing state lines, as there is in the case of the wire fraud statute. Instead, the only federal hook is that the computer be a “protected computer.” But that’s really no federal hook at all: Protected computers are defined

In fact, the privacy groups have added so much baggage to the information sharing provisions that the new law is nearly useless to private sector companies who want to improve cybersecurity. And it may actually impose an entire new regulatory and liability yoke on companies that treat cybersecurity seriously.

It’s worth remembering why the information sharing provisions are necessary. The reason is that, with the support of privacy groups in years past, Congress prohibited many companies from sharing customer information with the government in the absence of a subpoena. Congress also authorized states to adopt “two-party consent” restrictions on interception of communications. In an age of widespread network intrusions, both of these laws have the effect of protecting hackers and spies.

How so? Controlling spearphishing requires that incoming packets be monitored for malware; and that in turn means intercepting the communications. Since it’s unlikely the attacker who is sending malware will consent to such monitoring, this monitoring creates legal risks in two-party consent states. Similarly, unless private companies can tell the government in real time which of their customers are sending malware, the government cannot protect itself. All of the bills pending in Congress override these poorly conceived and overbroad privacy provisions.

Privacy groups don’t like to be reminded that privacy laws they supported are now protecting bad guys, so it’s no surprise that they aren’t comfortable with the new […]

The Senate’s big cybersecurity bill has finally surfaced officially, and the hearing will be tomorrow at 2:30 DC time in front of the Homeland Security and Government Affairs Committee. After Sen. Rockefeller and Sec. Napolitano, I’ll be part of a panel that includes Gov. Tom Ridge, Scott Charney of Microsoft, and Jim Lewis of the Center for Strategic and International Studies.

Here’s the first few pages of my prepared testimony. The rest is up on Skating on Stilts, for those who just have to see my take on how to draft cybersecurity emergency authorities.

Mr. Chairman, Ranking Member Collins, members of the committee, it is an honor to testify before you on such a vitally important topic. I have been concerned with cybersecurity for two decades, both in my private practice and in my public service career, as general counsel to the National Security Agency and, later, to the Robb-Silberman commission that assessed U.S. intelligence capabilities on weapons of mass destruction, and, more recently, as assistant secretary for policy at the Department of Homeland Security. In those two decades, security holes in computer networks have evolved from occasionally interesting intelligence opportunities into a full-fledged counterintelligence crisis. Today, network insecurity is not just an intelligence concern. It could easily cause the United States to lose its next serious military confrontation.

Moore’s Outlaws: The Exponential Growth of the Cybersecurity Threat-

Our vulnerabilities, and their consequences, are growing at an exponential rate. We’ve all heard of Moore’s Law. What we face today, though, are Moore’s outlaws: criminals and spies whose ability to penetrate networks and to cause damage is increasing exponentially thanks to the growing complexity, vulnerability, and ubiquity of insecure networks. If we don’t do something, and soon, we will suffer network failures that dramatically change our lives and futures, […]

I’ve blogged a lot about the Ninth Circuit’s en banc case in United States v. Nosal, on the scope of the Computer Fraud and Abuse Act — and more specifically, on whether it’s a federal crime to violate an express written restriction on using a computer. You can watch last Thursday’s oral argument in the case here:

Chief Judge Kozinski presided, and he seemed pretty clearly on the side that I’ve been advocating here at the blog, in the Drew case, in my recent testimony, and in my law review articles. I was very pleased to see that, although I wasn’t surprised in light of Judge Kozinski’s libertarian streak. At the same time, I don’t think we have enough information to count votes accurately, as only about four judges spoke in ways that might have indicated their views (two for Nosal, two for the United States, I believe). I’m cautiously optimistic, but we’ll have to see how the votes shake out in the end.

I’ll hide my more detailed reactions below the break for the handful of CFAA nerds in the VC readership ….. […]

I recently read Popular Mechanics’ riveting article reconstructing the last minutes Air France 447, which in 2009 disappeared without explanation over the Atlantic between Rio and Paris. Using the cockpit transcript, the article reveals that the pilots essentially flew a fully functioning passenger jet into the sea. Why? It appears that a temporary loss of flight speed data and then the disconnection of autopilot systems panicked a copilot into lifting the nose of the plane. He then more or less kept the stick pulled all the way back as the plane lost forward speed and plunged into the ocean, paying no attention to dozens of blared stall warnings. Here’s a bit of the transcript and Popular Mechanics’ commentary:

02:10:55 (Robert) Putain!Damn it!
Another of the pitot tubes begins to function once more. The cockpit’s avionics are now all functioning normally. The flight crew has all the information that they need to fly safely, and all the systems are fully functional. The problems that occur from this point forward are entirely due to human error.02:11:03 (Bonin) Je suis en TOGA, hein?I’m in TOGA, huh?
Bonin’s statement here offers a crucial window onto his reasoning. TOGA is an acronym for Take Off, Go Around. When a plane is taking off or aborting a landing—”going around”—it must gain both speed and altitude as efficiently as possible. At this critical phase of flight, pilots are trained to increase engine speed to the TOGA level and raise the nose to a certain pitch angle.
Clearly, here Bonin is trying to achieve the same effect: He wants to increase speed and to climb away from danger. But he is not at sea level; he is in the far thinner air of 37,500 feet. The engines generate less thrust here, and the wings generate […]